Notices by Wolf480pl (wolf480pl@mstdn.io)

@ayo btw what do you call it in Dutch?

@ayo in Polish it's "wolne oprogramowanie", where "wolne" can mean both "free as in freedom" and "slow", which is quite funny :D

@ignaloidas @amonakov @uecker
> node
> long-term maintenance

Cotation needed

@uecker @ignaloidas @amonakov
trick question:

how much time does each of you (Martin in C, Ignas in Python) spend checking whether the library authors promise backwards compatibility, security updates, and whether they're likely to still be around 3 years from now?

@ignaloidas @amonakov
NSS
GnuTSL
OpenSSL
LibreSSL
BoringSSL
WolfSSL
mbedTLS
AWS-LC

did I miss any?

@amonakov what about things that cannot be implemented in a portable way (like stdio, file io, sockets, etc) ?

@rin @jonossaseuraava are you sure this isn't upside-down arabic? :thinkeyes:

@algernon moral of the story: computers are fast, we're just using them wrong most of the time?

@ayo so, I don't know how perl packaging works, but assuming it works like pip:

typically language-level package managers don't have the ability to add a dependency on OS-level tzdata... so I don't see an advantage of getting the source from a language-specific package repository as opposed to straight from the maintainer's website / github / etc

@ayo (if there was, it'd be packaged by your distro, not on CPAN)

@makdaam @domi @lanodan
oh, and also about goals

At my $dayjob, the reason I do anything about vulns at all is compliance with a standard.

But I look at the standard, try to figure out why someone would put a particular requirement in the standard, and try to think of something that we could do that is actually useful, that could also be argued to check the box.

I think this might be a rare attitude.

@makdaam @domi @lanodan
Now, you could argue that if the checkbox didn't shield companies from liability, they would care more about security, because simply ignoring vulns would get them sued to oblivion.

And maybe that is the case in some fields.

But IME it's more about the choice between trying to meet an impossible standard, and not giving a fuck thus doing nothing.
2/2

@domi @lanodan
IME the hardest part of the problem is that if a python library has 50 functions

one of them is vulnerable

and you use a different one

with input that is not user-controlled

it's still getting flagged, and there's no way to filter that out without someone who understands the code taking a look at it.

In an ideal world, vulns would be expressed through a type system.
1/

@domi @lanodan
but IRL, if I could just

take all known exploits

automatically run them against our public endpoints, to find all the things a script kiddie can easily find

and patch only those things

that'd probably prevent 80% of the likely attacks for 10% of the effort

@makdaam @domi @lanodan
don't worry about thread necromancy, it hasn't even been a week yet

So you're saying that the checkbox exists purely for performative/blameshifting purposes?

I think even if that is true, the side effect of complying with the checkbox is doing some good things. In this case - how do you make the CVE scanner happy without patching at least some vulns?

And if you patch some vulns, you're already doing better than those who don't give a fuck.

1/

@denza252 god I wish

@piggo my first LAN had an 8-port switch that had 2 LEDs for each port: green for link, and amber to indicate speed.

Amber LED on = 100Mbit/s
Amber LED off = 10Mbit/s

100Mbit was fast back then.

Both were faster than my internet connection

@lanodan @domi @rozenglass @ignaloidas
Still, OpenWRT exists and supports a bunch of routers, and LineageOS exists and supports a bunch of phones.

Is it 100% open-source? No.
But it's enough that you can modify a lot of the interesting behaviours of the device.

I've never seen custom firmware for a non-Linux router.

I've heard there were firmware mods for Symbian phones, but AFAIK they were much more limited in what they change

@ignaloidas @lanodan @domi @rozenglass is there any development model other than Linux's that'd ensure we get enough source code that we can build custom firmware for these devices?

@ignaloidas @lanodan @domi @rozenglass
them moving away from Linux would be a shame - I don't want a VxWorks wifi router :(